Threat behavior
Worm:Win32/Neeris.B is a chat client worm with backdoor Trojan functionality. The worm uses API calls for both Windows Messenger and AOL Messenger to send messages to contacts, with an attached file containing a copy of the worm. Worm:Win32/Neeris.B connects to an IRC server and waits to receive commands, such as to self-update, remove itself, download various programs and malware, or terminate running processes.
When Worm:Win32/Neeris.B is executed, it performs the following actions:
Terminates if the currently logged on user is named "CurrentUser"
Creates a mutex named "XipR0R"
Drops files into these folders
%Windir%\My_Pictures2007.zip (contains a copy of the worm)
%Windir%\system\CSRSS.EXE
Modifies the system registry to run the worm at each Windows startup:
Adds value: MeltCc32
With data: CSRSS.EXE
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
Adds value: Runtime Server Subsystem
With data: %WinDir%\system\CSRSS.EXE
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Hides itself (CSRSS.EXE) from Task Manager process list
Adds itself to the list of authorized applications exclusions for Windows Firewall settings stored in this registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\
Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Injects code into the Windows shell application Explorer.exe
Modifies a registry entry instructing the operating system to delay 7 miliseconds to terminate services during system shutdown or restart, possibly masking the symptoms of infected by the worm:
Modifies value: WaitToKillServiceTimeout
With data: 7000
In subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
Locates Windows Messenger and AOL Instant Messenger Internet chat clients, and if found:
determines various locales
based on the locale values, generates messages in the common language of the locale
attaches the file My_Pictures2007.zip to generated messages
Messages are created using any of the following text, picked at random:
hey man accept my pics. :( i just edited it to look maad funny..Dude i found your picture on hotornot.com! Take a look!
do I look dumb in this picture? I want to put it on myspace.
hey you got a myspace album? anyways heres my new myspace album :) accept k?
ok, I DO NOT like my new hair color.. but people on facebook do. what do you think? And no laughing! lol
Have you seen me Naked Yet :D
OMG, i found ur pic on cuteornot.com! Check it out!!!
Hey just finished new myspace album! :) theres a few kinky ones in there!
I think this picture is terrible. but my friends on myspace want to see it. please dont show noone.
Hey accept my pictures, i got a bunch from when i was like a toddler :X
OMG just accept please its only some pics!!
do you think this picture is too kinky for Myspace?
Wanna see my pics before i send em to facebook?
dude i just got these pictures off my digital for you! Gimme a moment to find em and send
haha, this guy up my street just slammed his $90k car into a telephone pole! I got a pic of it with my cellphone
Can you believe somone actually wears this size bra? I could use it for a Tent.
I've been editing some pics you should def see em loL! accept :)
Lmfao hey im sending my new pictures! Check em out!
I cant believe they wanted me to upload this picture to facebook lol. Its terrible. Like my outfit tho?
Take a look at the new pics already! :p
wanna see this pic of my Boobs?Can i put this pic of you into my new myspace album?
wow! look at this old picture i found....
OMFG!!!!!!!! :D
my crazy sister wants u to see these pics for some reason... take a look
wow I just dyed my hair... You will never believe the color it is now. lol And dont laugh
is this pic tooo sexy for photobucket??
sry about the messup i fixed the pic! Try it one more time pz
you care if i put this pictuer of you in my new album?
can i up some of these pics of ya to my myspace profile?
hey did i ever show you this picture of me?
haha lets hope your parents dont see this picture of you :D
Wow i think i found your pic on myspace!
This picture isnt you... right?
Worm:Win32/Neeris.B connects to an IRC server using TCP port 21888, and awaits commands from an attacker, which can include:
Self-update
Remove itself from the infected system
Download additional files / new malware
Itemize and terminate various processes
Initiate or stop its Messenger spreading routine
Prevention
